Tag Archives: Law

A few days ago, a buzz hit the information security landscape. /.relayed a BBC article announcing that a new French decree will make hashed passwords illegal. Really? Honestly, when I read this, I also twitted about it. For security professionals, it looks totally unacceptable! Now, the buzz seems over and I would like to come back on this announce.

Several security professionals started discussions on forums and were curious (if not scared) about this new decree. This kind of announce leaves no one indifferent. Several questions raised like:

The decree will make all operating systems illegal (they all stored password hashed)?

What about banks using smart-cards to authenticated their user (storing only the user public key won’t be enough to decrypt the user’s data)?

An interesting thread started on the CISSPforum Yahoo! group. Unfortunately, this group is not publicly available. I asked to the French CISSP who gave more details to relay the information here. Thanks to Jean-Philippe for the permission to re-use his explanations.

According to many French information security people, the BBC news relayed by ./ is wrong. The problem is not that passwords cannot be hashed, it’s worst: the new French law says that organizations must keep personal data during one year (data retention period). Where the BBC is right, it’s on the fact that major on-line actors (eBay, DailyMotion) challenged the French law. Their request will be examined by the Council of State.

Here is Jean-Philippe’s analysis of the law: The decree asks e-service/commerce/banking providers to store a lot of personal and technical information related to their users. This information must be provided upon request during criminal investigations. When the user’s account is created, the text asks to store :

The connection ID;

First and Last name or corporate name;

Postal address ;

Pseudonym(s) ;

E-mail(s) ;

Phone number(s) ;

The last version of password, and data that enable to verify and modify it.”

The “and” continues the enumeration of the first bullet-points… and seems not to be a grammatical link between “password” and “data that…”. Well, let’s hope so!

But here the trick – yes a law trick – the article ends with a VERY important sentence:

“This information (login, e-mail, password, …) must be stored – and therefore provided to law enforcement – ONLY IF the service provider used to store it“

This sentence is the most important here and it prevents organizations from a lot of security trouble and/or system redesign. If you are not forced to collect users information, don’t! But… if you do, you must keep them for one year! To summarize :

If you store the user’s password in clear text (shame on you!), then you’ll have to provide it.

If you store a hash of the password, then you’ll have to provide the hash

If your system uses a user’s public key verification, then you’ll have to provide a private key escrow but again, only if you have it.

For those who have enough patience to regal legal stuffs, the original text of this decree is here.

After an HADOPI law voted in France, other countries follow the same example. A politician is trying to introduce the same system in Belgium as an attempt to fight the exchange of illegal material on the Internet (via peer-to-peer networks). For those who aren’t aware of the HADOPI law, it is also called “Riposte Graduée” in French or “Graduated Response”. The goal is to fight the “bad guys” (and, NO, “hackers” is certainly not the right term here!) with graduated deterrents: notifications, fines up to a disconnect from the Internet (or a speed limitation). I did not yet blogged over the HADOPI law but if the same project started in Belgium, it’s time to react!

The Senator Philippe Monfils already introduced a project of law in the beginning of 2010. A few days ago, he came back with a modified proposition (article in French) and suggested now to involve the Internet Service Providers. ISPs have already a legal obligation to cooperate with the local authorities. Requests are typically: who used the IP address “x” at time “y”. But, with the new law, they could be prosecuted if they do not collaborate in a efficient way. ISP always presented themselves as providers of “pipes” to the Internet. You use their services like you take the speedways to go from a point “A” to a point “B”. If you drive at 180km/h, the companies which maintain the speedway are not responsible of your behavior. Or can a manufacturer be held responsible for a holp-up? There are plenty of stories where robbers used an excavator to attack banks.

While keeping aside the fact that downloading copyrighted material is illegal, I’m comparing the politicians or the future organizations responsible of tracking the bad-users to Don Quichotte fighting against wind mills! All IT professionals and Internet users which a little background will tell you: This law won’t solve the problem. At best, the traffic will be slightly reduced. The non-technical users (“the average user”) will be afraid and stop downloading their weekly MP3 albums but the real “leechers” won’t be worried. On a technical point of view, there will always have new evasive tools to prevent the detection of illegal traffic.

Another Belgian party proposed a “global license”. A few amount of money will be added by the ISP to the users monthly bill. Wait! In the beginning of 2010, a new tax was launched for all medias capable to store digital medias (CDs, DVDs, USB sticks, external disks, NAS, etc). For me it looks redundant. Why should people who never download illegal material pay for the others? (They are not many but there are still). My opinion is that the project of law made by Philippe Monfils is just a new “buzz” to warn the citizens that downloading illegal material is bad. Just have a look at the comments posted in forums or below the articles. It’s also a way to reassure the majors. But like the picture says: “You are doing it wrong!”